I was wondering if it's possible to integrate Spring Security 3 into a GAE application without having to bring the whole Spring + Spring MVC stack with it. Every example I've seen so far has Spring Beans and / or Spring MVC in it
What I want to do is basically implement generic authentication (basic register, login, logout, reset password, etc), include OpenID, Google Authentication, Facebook Authentication, etc all in one place - Spring Security does this quite nice.
Or alternatively, I would prefer to have as few libraries as possible and roll my own, does anyone have a link or some great resource on setting up an authentication service that allows logging in with Custom Login, Google, Facebook, etc without the use of Spring Security?
You can not use Spring MVC, but anyway you need spring core.
Answer to this question is highlighted in spring security FAQ:
http://docs.spring.io/spring-security/site/faq/faq.html#faq-what-dependencies
More detailed about dependesies you can find here:
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#appendix-dependencies
Related
I am trying to build my first website using Spring boot + ReactJS and MySQL.
It's essentially a gym website where users can create an account, sign in and then choose a membership + checkout etc.
What I have done so far is:
Spring Boot REST Api for creating a new customer + other CRUD features.
React Front End Registration form with Spring boot server validation, the form posts the data to the REST api using axios.
I have a design in figma of the website and I've been working on that in the meanwhile because honestly, i am stuck.
Some problems I'm facing:
Spring Security, I have used JSP before and it was easier for me to get the hang of it since it is server sided and I just had controller methods etc. Now that I'm using react I have no idea how the security function would work with Spring Boot.
Since the front and back end are served on different ports, how would my Spring configure
method look like? (The class that extends WebSecurityConfigurerAdapter).
How do I restrict access to URL's on the front end using React Router? Since Spring Boot and React router are both on different ends I am struggling to understand how that works? What about the API endpoints being accessible as well.
Authentication + Authorization, I've looked up tutorials and I've pretty much only seen Authentication by the use of JWT tokens when working with Spring Boot + React, is there no other option other than JWT? (For me it looks really confusing so I'd like to know if there's a valid alternative or not) - if not , why JWT?
I know Spring Security on its own is a complicated framework and I've read a alot about it, though some concepts do confuse me. (UserDetailsService vs UserDetails, Types of Authentication Managers you get)
In general, the integration of Spring Boot with a SPA such as react, if someone could explain the flow of how it functions on both the front and back end.
Not long ago i had similar problems like u. I would suggest to check out this tutorial: https://youtu.be/VVn9OG9nfH0
It should answer all of your questions.
I have a similar question to this one however our application (which makes use of only Spring Beans & Annotations) currently does not use the Spring Security component/API. Would like to know if we can support the plain vanilla login (based on username password) mechanism for one set of users and support SAML based logins for another set of users (thereby using only Spring SAML extension). Or is there some basic Spring security config to incorporate before we use the SAML extension? Thanks in advance.
It is in fact possible to use Spring SAML extension without 'implementing' the Spring security aspect in the project. However the spring security jars are needed as a dependency.
I need to make simple CRUD application with user registration and authentication using Spring boot, but I have some trouble figuring out how to do this right. I have created user table at RDMS and set up Redis for storing user sessions as explained here.
At Spring boot docs it's said that
If Spring Security is on the classpath then web applications will be
secure by default with ‘basic’ authentication on all HTTP endpoints.
But I defined several CrudRepository intefaces and after starting my application I can GET it's data using browser without authentication. I thought that it should work out of the box without additional tuning and therefore checked if Spring Security is on the classpath with gradlew dependencies command and it appears to be there:
Also default user password that should be displayed during application start up does not show up. So maybe I am missing something here?
Also I am not sure if that would be the best option for mobile app because it possibly uses short-living tokens. There are several other options, among which using a WebView and cookies (as was recommended by Google long ago), creating a custom authentication entry point, using approach that was used in Angular web app and finally stateless authentication with OAuth 2.0. Directly in opposite to author of Angular web app tutorial who claims
The main point to take on board here is that security is stateful. You
can’t have a secure, stateless application.
So how do we need to pass token? How long should it live? Do we need to make additional XSRF token or not? Should we use out of the box solution or implement own one? Can we make it stateless?
I come from an ASP.NET background. In ASP.NET, there is built-in support for users and roles. My question is, does JSP have anything similar or is everything built from scratch? I have not been able to find a good resource to answer this application structure type of question.
The Servlet API supports user/role based authentication and security. Tomcat (among others) includes built in support for authenticating using a variety of sources: xml file, database, LDAP, etc.
You could also consider using Spring MVC as a fairly lightweight web framework over JSP. Spring has a very capable authentication & authorization model (right down to method level on objects) using Spring Security (was Acegi) interceptors which can use the sorts of sources that Asaph talks about. You don't need to use Spring MVC in order to use Spring Security if you don't want to.
If you're going to be running your JSPs in a full J2EE server like JBoss, WebLogic or WebSphere there are a whole load of security options that come with such containers incl. integration with AD users and groups.
What is appropriate way to integrate SpringSecurity with Capcha ?
I have following use case :
When user will tries to login, if we he failed to login N times, captcha will be displayed, so authentication will be using three parameters : username, password, captcha. But Spring Security doesn't support built in Captcha handling.
I just start thinking about implementation. And have following variants:
Adding separate security filter in Spring Security filter stack,
Entirely rewrite AuthenticationProcessingFilter to support some Captcha
Use some programmatic authentication with interception captcha logic and then transfering username and password to Spring Security
As a Captcha implementation I think about JCaptcha, but what your thougths?
As an alternative to using JCaptcha, if you'd like to use the reCAPTCHA Service on your site, then check out the free Section 4.4 (direct PDF link) of the new Spring in Practice book (currently in beta).
This shows you integration with Spring MVC and Spring Validation. Since the integration is on the front-end, w/external APIs, Spring Security doesn't really come into the picture here.
I am not sure what your use case is? Are you hoping to use captchas as an alternative to authentication to prove "human"-ness?
Take a look at this article: Spring Security 3: Integrating reCAPTCHA Service.
This uses two filters to make reCAPTCHA integration as seamless and unobstrusive as possible. That means your existing Spring Security implementation will not break. No need to touch existing classes
I've done integration with reCaptcha and Spring Security (Spring Web Flow + JSF) by defining custom security filter. Maybe it isn't most elegant, but works good.
You can look at my blog - unfortunately in polish, but maybe will help You or someone...
http://marioosh.net/blog/?p=1087
Kaptcha is easy to use.